Uploaded image for project: 'CFEngine Community'
  1. CFEngine Community
  2. CFE-2406

Daemons should re-parse augments file when policy is reloaded

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Done
    • Priority: High
    • Resolution: Fixed
    • Affects Version/s: 3.7.3, 3.7.4, 3.10.0, 3.7.5, 3.10.1
    • Fix Version/s: 3.12.0, 3.10.3, 3.7.7
    • Component/s: cf-execd, cf-serverd
    • Labels:
      None
    • Steps to reproduce:
      Manual steps provided

      Description

      Resolved for:

      • cf-serverd
      • cf-execd

      EDIT: Removed cf-monitord from consideration here. It doesnt seem to reload itself on change at all. As noted in CFE-1003.

      It appears that cf-serverd (probably cf-monitord and cf-execd as well) does not re-parse the augments file (def.json) when the daemon re-loads itself due to a policy change.

      I edited controls/3.7/def.cf and changed the default acl to not include $(sys.policy_hub)/16 but instead only $(sys.policy_hub). My hub is at 192.168.33.2 and my test client (also running 3.7.3) has 192.168.33.3.

      I placed a def.json in the root of my masterfiles and ran the update policy (to get it into inputs where cf-serverd can use it) to define acl from it.

      {
        "vars":
        {
          "acl": [ "192.168.33.2", "192.168.33.3" ]
        }
      }
      

      Then I killed and I ran cf-serverd with strace and verbose logging.

      strace -o /tmp/strace.out /var/cfengine/bin/cf-serverd -Fv | tee /tmp/cf-serverd.log
      

      I saw that the IPs I defined in def.json were allowed.

      verbose: Host IPs allowed connection access:
      verbose: IP '192.168.33.3'
      verbose: IP '192.168.33.2'
      verbose: IP '::1'
      verbose: IP '127.0.0.1'
      

      I saw my test host 192.168.33.3 successfully be granted access on its file copy.

      Then I made a simple comment change in my policy and waited for cf-serverd to update the policy and reload itself.

      When it reloaded in the access summary I saw:

      verbose: Host IPs allowed connection access:
      verbose: IP '192.168.33.2'
      verbose: IP '::1'
      verbose: IP '127.0.0.1'
      

      Then I inspected the strace output for references to def.json:

      [root@hub masterfiles]# grep def.json /tmp/strace.out
      open("/var/cfengine/inputs/def.json", O_RDONLY) = 3
      stat("/var/cfengine/inputs/def.json", {st_mode=S_IFREG|0644, st_size=572, ...}) = 0
      newfstatat(4, "def.json", {st_mode=S_IFREG|0644, st_size=572, ...}, AT_SYMLINK_NOFOLLOW) = 0
      openat(4, "def.json", O_RDONLY)         = 3
      lstat("/var/cfengine/inputs/def.json", {st_mode=S_IFREG|0644, st_size=572, ...}) = 0
      

      I also inspected the verbose logging for references to def.json:

      [root@hub masterfiles]# grep def.json /tmp/strace.out
       verbose: Loading JSON augments from '/var/cfengine/inputs/def.json' (input dir '/var/cfengine/inputs', input file '/var/cfengine/inputs/promises.cf'
       verbose: Loaded augments file '/var/cfengine/inputs/def.json', installing contents
       verbose: Installing augments slist variable 'def.acl' from file '/var/cfengine/inputs/def.json'
       verbose: C: discovered hard class feature_def_json
       verbose: C: discovered hard class feature_def_json_preparse
       verbose: C: discovered hard class feature_def_json
       verbose: C: discovered hard class feature_def_json_preparse
      

      I could only find that def.json was accessed upon initial daemon start, and did not seem to be re-parsed by the automatic re-load.

        Attachments

        1. cf-serverd.log
          415 kB
          Nick Anderson
        2. strace.out
          1.01 MB
          Nick Anderson

          Issue Links

            Activity

              People

              • Assignee:
                a10042 Nick Anderson
                Reporter:
                a10042 Nick Anderson
              • Votes:
                8 Vote for this issue
                Watchers:
                12 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  Summary Panel